Email templates based on the Portuguese Government Finance & Tax are being used to push Lampion malware via malspam. Portuguese users were targeted with these emails that reported issues related to a debt of the year 2018. When the victim clicks on the links available in the email body the malware is downloaded from the online server. The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.
As observed, after extracting the file, three files are presented.
The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.
The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector 3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.
Exposure of sensitive information